Replication Pull task encrypted destination folders

Dear community,

I have two NAS setups (NAS1 main and NAS2 backup).
About a month ago, I setup a few replication tasks where I would PUSH data from NAS1 to NAS2.
This would generate independant decryption keys that I would store for future reference.

Due to some circumstances, I had to configure the replication tasks on NAS2 as a PULL request.
It is important to understand that both pools are encrypted with their own key.

I realized after finishing the first task, that the destination folder is encrypted without a way to download the keys to unlock the dataset, as shown below:
(Will include in the comments since it won’t let me post with embbeded images or links)

I included an image showing the tasks config below:
(Will include in the comments since it won’t let me post with embbeded images or links)

Since the “Include Dataset Properties” option is enabled, I thought the key to unlock the dataset would be the same key that originally encrypts it on the sending system, but it seems that key won’t work, and neither will the key that encrypts the pool on the receiving end.

What am I doing wrong?
Thank you for your time!

Seems I can’t post a link in the comments either :confused:

Forgot to mention NAS1 is running ElectricEel-24.10.1 and NAS2 is running Dragonfish-24.04.2.5

What does this show on both servers?

zfs list -t filesystem -r -o name,encryption,encroot,keyformat,keylocation <nameofpool>

Hey Winnie,
Thanks for getting back to me!

On NAS1, I get all the folders inside the pool, all encrypted, the keyformat is hex and the top folder’s key location is prompt.

On NAS2, all folders that I’ve created show up, and the two folders that have synced already, show up in ENCROOT with their own name, keylocation is prompt, on all of them.

What did I mess up?
Thank you.

Can you post the output in preformatted text?

I think I am facing quite a similar issue here. I performed Replication Task from Nas A to Nas B. The MainStorage/Apps was replicated recursively with Child Dataset that inherited the encryption key of MainStorage/Apps, as shown below.

truenas_admin@truenas[~]$ sudo zfs list -t filesystem -r -o name,encryption,encroot,keyformat,keylocation MainStorage
[sudo] password for truenas_admin: 
NAME                                                          ENCRYPTION   ENCROOT           KEYFORMAT   KEYLOCATION
MainStorage                                                   off          -                 none        none
MainStorage/.system                                           off          -                 none        none
MainStorage/.system/configs-ae32c386e13840b2bf9c0083275e7941  off          -                 none        none
MainStorage/.system/cores                                     off          -                 none        none
MainStorage/.system/netdata-ae32c386e13840b2bf9c0083275e7941  off          -                 none        none
MainStorage/.system/nfs                                       off          -                 none        none
MainStorage/.system/samba4                                    off          -                 none        none
MainStorage/Apps                                              aes-256-gcm  MainStorage/Apps  hex         prompt
MainStorage/Apps/NetBird                                      aes-256-gcm  MainStorage/Apps  hex         none
MainStorage/Apps/NetBird/Client                               aes-256-gcm  MainStorage/Apps  hex         none
MainStorage/Apps/NextCloud                                    aes-256-gcm  MainStorage/Apps  hex         none
MainStorage/Apps/NextCloud/AppData                            aes-256-gcm  MainStorage/Apps  hex         none
MainStorage/Apps/NextCloud/PostgresData                       aes-256-gcm  MainStorage/Apps  hex         none
MainStorage/Apps/NextCloud/UserData                           aes-256-gcm  MainStorage/Apps  hex         none
MainStorage/Apps/OpenWebUI                                    aes-256-gcm  MainStorage/Apps  hex         none
MainStorage/Apps/OpenWebUI/DataStorage                        aes-256-gcm  MainStorage/Apps  hex         none
MainStorage/Apps/OpenWebUI/OllamaStorage                      aes-256-gcm  MainStorage/Apps  hex         none
MainStorage/Apps/WikiJs                                       aes-256-gcm  MainStorage/Apps  hex         none
MainStorage/Apps/WikiJs/Data                                  aes-256-gcm  MainStorage/Apps  hex         none
MainStorage/ix-apps                                           off          -                 none        none
MainStorage/ix-apps/app_configs                               off          -                 none        none
MainStorage/ix-apps/app_mounts                                off          -                 none        none
MainStorage/ix-apps/docker                                    off          -                 none        none
MainStorage/ix-apps/truenas_catalog                           off          -                 none        none

However when the replication is completed, the replicated dataset on Nas B does not come with inherited encryption key and instead was broken down into individual encryption key. It still uses the same encryption key however I will have to manually input the key for each datasets which is troublesome.

I was expecting it to just require to unlock the MainStorage/Backup/Apps and it will then automatically unlock the rest.

truenas_admin@truenas[~]$ sudo zfs list -t filesystem -r -o name,encryption,encroot,keyformat,keylocation MainStorage 
[sudo] password for truenas_admin: 
NAME                                                          ENCRYPTION   ENCROOT                                          KEYFORMAT   KEYLOCATION
MainStorage                                                   off          -                                                none        none
MainStorage/.system                                           off          -                                                none        none
MainStorage/.system/configs-ae32c386e13840b2bf9c0083275e7941  off          -                                                none        none
MainStorage/.system/cores                                     off          -                                                none        none
MainStorage/.system/netdata-ae32c386e13840b2bf9c0083275e7941  off          -                                                none        none
MainStorage/.system/nfs                                       off          -                                                none        none
MainStorage/.system/samba4                                    off          -                                                none        none
MainStorage/Backup                                            off          -                                                none        none
MainStorage/Backup/Apps                                       aes-256-gcm  MainStorage/Backup/Apps                          hex         prompt
MainStorage/Backup/Apps/NetBird                               aes-256-gcm  MainStorage/Backup/Apps/NetBird                  hex         prompt
MainStorage/Backup/Apps/NetBird/Client                        aes-256-gcm  MainStorage/Backup/Apps/NetBird/Client           hex         prompt
MainStorage/Backup/Apps/NextCloud                             aes-256-gcm  MainStorage/Backup/Apps/NextCloud                hex         prompt
MainStorage/Backup/Apps/NextCloud/AppData                     aes-256-gcm  MainStorage/Backup/Apps/NextCloud/AppData        hex         prompt
MainStorage/Backup/Apps/NextCloud/PostgresData                aes-256-gcm  MainStorage/Backup/Apps/NextCloud/PostgresData   hex         prompt
MainStorage/Backup/Apps/NextCloud/UserData                    aes-256-gcm  MainStorage/Backup/Apps/NextCloud/UserData       hex         prompt
MainStorage/Backup/Apps/OpenWebUI                             aes-256-gcm  MainStorage/Backup/Apps/OpenWebUI                hex         prompt
MainStorage/Backup/Apps/OpenWebUI/DataStorage                 aes-256-gcm  MainStorage/Backup/Apps/OpenWebUI/DataStorage    hex         prompt
MainStorage/Backup/Apps/OpenWebUI/OllamaStorage               aes-256-gcm  MainStorage/Backup/Apps/OpenWebUI/OllamaStorage  hex         prompt
MainStorage/Backup/Apps/WikiJs                                aes-256-gcm  MainStorage/Backup/Apps/WikiJs                   hex         prompt
MainStorage/Backup/Apps/WikiJs/Data                           aes-256-gcm  MainStorage/Backup/Apps/WikiJs/Data              hex         prompt
MainStorage/Backup/ix-apps                                    off          -                                                none        none
MainStorage/Backup/ix-apps/app_configs                        off          -                                                none        none
MainStorage/Backup/ix-apps/app_mounts                         off          -                                                none        none
MainStorage/Backup/ix-apps/docker                             off          -                                                none        none
MainStorage/Backup/ix-apps/truenas_catalog                    off          -                                                none        none
MainStorage/ix-apps                                           off          -                                                none        none
MainStorage/ix-apps/app_configs                               off          -                                                none        none
MainStorage/ix-apps/app_mounts                                off          -                                                none        none
MainStorage/ix-apps/docker                                    off          -                                                none        none
MainStorage/ix-apps/truenas_catalog                           off          -                                                none        none

Am I doing something wrong here? Would really appreciate for your expertise as I have been experimenting with different replication configuration whole day.